Prevent Misconfigurations in the Cloud: Walking Between the Raindrops
Three key takeaways:
- Enterprises are undergoing digital transformation. Business demands based on financial pressures necessitate this revolution. This new perspective drives the teams responsible for developing and maintaining IT infrastructure to embrace the inevitable, become more agile and better manage change
- Enterprise IT infrastructure configurations are numerous, complex, and fraught with risk. The rapidity and frequency of configuration change, and the context and content of those changes all contribute to making managing configuration change one of the most challenging problems for infrastructure and operations teams to regularly deal with in today’s hybrid or multi-cloud deployments
- There is a solution to better understand your infrastructural complexity and configuration state: four-dimensional (4D) observability. Observability has become a common claim for vendors who focus on the symptoms of problems once they have already occurred, using telemetry from traces, logs, and metrics. However, this can be drastically improved upon by increasing the scope of monitoring to provide early detection of granular configuration changes and the risk they may impose on stability, security or compliance.
Have you ever tried to walk between raindrops? It’s hard to do. And most people would say that it’s impossible - try it if you like. Rain falls at variable speed, in different locations with drops of varying sizes. Raindrops can vary in viscosity, depending on factors like wind, terrain, and region. Rain is unpredictable and chaotic.
Now imagine if you will that each raindrop is a configuration change in your hybrid, multi-cloud infrastructure which - if misconfigured - can be disastrous. But, many enterprises ask infrastructure and operations professionals to do something just as challenging –“walk between these raindrops” (and don’t get wet) every second, minute and hour of every day. What sounded like a fun experiment quickly becomes a tightrope walk over the Grand Canyon without a safety net. Tracking configuration changes and preventing the impact of misconfiguration is essential to ensuring the reliability, compliance, and security, necessary for business to successfully digitally transform itself.
Leveraging Infrastructure for Real Growth and Innovation
No large enterprise can avoid digital transformation indefinitely. In fact, to get ahead of the curve — to truly grow and innovate — you need to embrace it wholeheartedly. This doesn’t mean hopping on the bandwagon with words only, however, acting! But using a siloed approach doesn’t work either. So, what does?
The needs of the business require IT teams to scale and increase productivity. Using digital transformation trends like agile methodologies, a CI/CD pipeline and other automation flows reduce workload pressures on teams, departments, and business units. This is based on an effort to reduce toil, a key part of digital transformation and a driver of the DevOps movement. In fact, any process that happens repeatedly should be automated. At the same time, from a financial standpoint, this frees up funding to go where it’s most needed. There is something big standing in the way of this transformation however - complexity.
The Challenges of Complexity
There are an enormous and ever-growing number of components in cloud environments — that’s simply how they are constructed. While this abundance of components, their configurations and the myriad of parameters contained in those configurations can be difficult to track, there’s no alternative. A misconfiguration of one of these can have a huge impact on the enterprise’s ability to deliver value to their customers. For example, deployments of microservices, the configurations they depend on, and the changes that occur to them can be challenging to follow but deploying applications with so many discrete components has become the standard way to operate when using agile methodology. This approach has been the result of the needs to be more flexible. But more flexibility has a dark side…more things to monitor, more changes to detect, and unfortunately more things to fail.
The reasons for complex deployments with multiple configuration changes, with the potential for change, didn’t start as technological — they’re related to the business’ need to adapt to the changes in the marketplace. This approach impacts many of the components in infrastructure such as the ones below.
Cloud components can include:
This is by no means an exhaustive list but merely some of the major considerations for infrastructure and operations teams today. And multiply this by the number of cloud environments when an enterprise is utilizing a multi-cloud deployment.
Some of the cloud componentry is under your control but many are inaccessible to you. For example, if you use Lambda functions or one of the API’s in the API marketplace, they are outside your scope of control. However, you must be able to identify a misconfiguration in them and take action to minimize its impact.
Many configurations are quite deep, with each parameter contained within subject to change. But since you must ensure stability in the environment for which you’re responsible, it’s essential to know about these configurations, and monitor them constantly. Why? Because a change in any single configuration might be the underlying root cause for an impact to stability, security, or compliance.
The Key Considerations
Move to facilitating productivity for the business units that require it — One of the key tasks for implementing this is to understand the environment from the perspective of configuration and change, and to be able to calculate the risk imparted from these changes in time to advert impact.
Organizations and the infrastructure and operations teams within them need to move from reactive mode to proactive / prevention mode when misconfigurations occur.
Decision: Control Versus the Need for Speed
Innovation requires speed. Businesses want — and need — to innovate. But if you’re always racing to catch up, how do you maintain control over your environment to deliver what the business requires?
Control typically means rigidity —this is also a false belief that change isn’t happening now, and nothing is going to change in the future either. Everything is kept exactly as it is. But this approach is the antithesis of flexibility and innovation - which is unhelpful to say the least. You need (and want) to be innovative and that requires change in how you approach the problem of adverting harm from misconfigurations.
How do you deal with these conflicting forces with your business’s applications stuck between the two?
Infrastructure and operations teams need to deliver configuration changes in a reliable way that protects against misconfiguration
Configuration changes can come in the form of various updates. For example, the need to improve the login processes, or compliance requirements for trade execution can require a configuration change.
But while the clock is ticking, reliability doesn’t stop being a factor. Configuration changes need to be delivered in a compliant way and, obviously, shouldn’t break when they’re rolled out. Change versus reliability is a tough balancing act.
Obstacle: Change Management
Many organizations might consider using their existing change management processes to level the scales in the hybrid, multi-cloud world, however both change and configuration management — as defined by and used by a large number of firms — contain numerous human steps throughout their workflows.
If a team says, “We'll have the CAB meeting on Friday and go over the high-priority change requests,” this plan sounds good in theory, but in reality, it’s simply not quick enough. Teams need to move in a much more agile manner to remain productive in a reactive — let alone preventative — way.
The more human steps in a workflow, the longer it takes. It’s not effective for cloud native, let alone hybrid cloud, environments that need speed and innovation with the control to deliver change reliably.
Even when DevOps teams utilize a configuration repository, they do not deliver a single, democratized one that is accessible to everyone on the team. Instead, they provide a multitude of configuration in repositories, each using different formats with differing access points and credentials. In a sense, yet another set of silos.
Observing the Way Forward
No vendor is silent on the concept of observability. The problem is that each of them has a different understanding of it.
We need a way to find the unknown unknowns — even without knowing the inner workings of a given system. We know what we need to monitor, but when it comes to the cloud, you don’t have access to all the components you need. Components you didn’t build. Components you can’t instrument.
Observability — when framed correctly — offers a way out of these conundrums that infrastructure and operations teams face every day. A deep awareness of configuration and change — from code to customer — reduces workloads and improves productivity.
You might not be able to walk between actual raindrops without getting wet but there’s a better way through the raindrops of infrastructure configuration changes.